Infrastructure

CISA cannot demonstrate how its oversight has improved Dams Sector security and resilience because CISA has not coordinated or tracked its Dams Sector activities, updated overarching national critical infrastructure or Dams Sector plans, and collected and evaluated performance information on Dams Sector activities.  Furthermore, we found that CISA does not consistently provide information to FEMA to help ensure its assistance addresses the most pressing needs of the Dams Sector.  CISA and FEMA also do not coordinate their flood mapping information.  Finally, CISA does not effectively use the Homeland Security Information Network Critical Infrastructure Dams Portal to provide external Dams Sector Stakeholders with critical information.  We recommended that CISA update the Dams Sector-Specific Plan, its internal organization structures, and establish performance metrics to determine its impact on the Dams Sector.  We also recommended it coordinate with FEMA on its grants and flood mapping systems.  Finally, we recommended CISA implement a strategy to use the HSIN-CI Dams portal to its fullest potential.  We made five recommendations to update CISA’s Sector-Specific Plan, internal organization structures, and coordination with FEMA that, when implemented, will improve dam security and resilience.  CISA concurred with all five recommendations.

DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.